Please Update WooCommerce

The WooCommerce and WordPress VIP teams have identified a critical vulnerability in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5).

Upon learning of this vulnerability, we immediately implemented a platform-wide mitigation, proactively protecting all WordPress VIP customers. We strongly advise all customers using WooCommerce and WooCommerce Blocks plugins to upgrade as soon as possible. 

WordPress VIP Support can perform this security upgrade on your behalf if desired. To initiate this request, please file a support ticket or contact your Relationship Manager.

How to update

The discovered security vulnerability affects all unpatched versions of WooCommerce from 3.3 to 5.5. If you are using any of these versions of WooCommerce, you will need to install an updated version that includes the security updates.

If possible, we recommend upgrading your WooCommerce installation to 5.5.1, which is the latest available version.

If your site uses the WooCommerce Blocks feature plugin apart from WooCommerce, you will need to update that plugin to the latest version, which is 5.5.1.

To upgrade your installed version:

  1. Determine the version of WooCommerce currently in use on your site. You can find this information either within your WordPress admin area, or by checking the readme.txt file for your installed WooCommerce plugin.
  2. Visit the WooCommerce website list of available versions and download the most recent release for that major version. (For example: if you have 5.5.0 installed, you will need to download 5.5.1.) The updates released in response to this security vulnerability are dated July 14, 2021 on the releases page.
  3. Commit the more recent version of the plugin to your site’s repository, and deploy those changes.
  4. Double-check the installed version of the plugin to ensure it has been properly updated.

More detailed information regarding the plugin installation process on WordPress VIP can be found in the following documentation pages:

Resolved: WordPress.com VIP Dashboard Service Outage

Root cause analysis:

Here is an update as to what caused this issue on November 16th and what we have done to prevent it from happening again.  First, a bit of background of jobs on WordPress.com.  In order to speed up common actions such as publishing a post, WordPress.com defers a lot of work triggered by these common actions to jobs which are run after, and asynchronous to the publish action itself.  Today we run about 25 million of these jobs daily across WordPress.com. The jobs understand priority which allows us to use the same system for both important and less important work. Here is the timeline of events:

9:15AM PST: One of the members of our support team flagged that there were a large number of pending tasks for one of the lower priority tasks run by the jobs system.  An initial investigation showed that the workers that normally processes this task had stopped running.  Unfortunately, the monitoring we had in place to catch this was also broken by an unrelated problem.

10:52AM PST: One of our engineers manually restarted the task which began to process the large backlog of items in the queue.  Unfortunately, when the task was started, it was done with a concurrency of 10, instead of the designed concurrency of 1.

10:54AM PST: Our systems team was alerted to a performance degradation of the jobs system and began their investigation.

10:56AM PST: The original task started at 10:52AM was stopped by our engineering team.

11:02AM PST: Everything returned to normal.

There were a couple takeaways from this event that will prevent a similar issue from happening in the future:

  • We have improved the monitoring to ensure that all jobs, even low priority ones, are running as expected.
  • We have started working on a change to allow a developer to specify the maximum concurrency at which a job should be run at the time the job is created. Previously this was handled in documentation, but having it enforced programmatically will ensure errors like this can’t happen in the future.

——–

From approximately 18:54 to 19:02 UTC (10:54 to 11:02 PST), wp-admin pages for some WordPress.com VIP sites were unavailable or unresponsive. This outage was caused by an overload of the asynchronous jobs service, which in turn affected dashboard web servers.

This disruption did not affect the VIP Go service.

Automattic/WordPress.com is auditing the responsible code and processes to ensure they do not cause any further outages.

We apologize for the disruption. Please contact VIP Support if you have any additional questions.

For real-time updates on service availability, please follow our status Twitter account at @WPVIPStatus.

Upcoming Toronto BigWP Event and Training

We’re excited to announce that we’ll be hosting both a BigWP event and a training course in the Toronto area next month.

BigWP

BigWP is a networking and education event focused on supporting developers, product managers, and editorial teams who run large, high-traffic WordPress sites. We’ll have a handful of short (5-10 minutes) flash talks on various topics in enterprise-level WordPress and WordPress.com VIP.

When: Tuesday, March 15th at 7 p.m.
Where: Shaw Media, 121 Bloor St. East
Event and speaker information is here.

Training: Developer Fundamentals II

WordPress Fundamentals II is a day-long, intensive course meant to improve WordPress developers’ understanding of advanced concepts. The workshop focuses on code security and performance, and will be taught by Stéphane Boisvert and Mo Jangda.

We recommend the training session for all developers working with enterprise-level WordPress deployments as the concepts discussed will apply universally.

When: Tuesday, March 15th at 9 a.m.
Where: The Foundery, 376 Bathurst St.
Cost: $950 CAD per attendee
For more details or to purchase a ticket, please visit the Eventbrite page. The class is limited to 20 participants.

If you have any questions regarding these events, please feel free to contact me at rmarkel@automattic.com.

We’ll see you there!

VIP Live Chat Support – Coming July 1st

After some testing, it’s time to take the wraps off a new feature we’ll be launching next week on WordPress.com VIP! On the wider WordPress.com service, we have been offering direct, live chat support to more and more users in an effort to serve them as efficiently as possible. It’s been well-received and the customer response has been off-the-charts amazing. Live chat support has been a really successful and helpful service for our customers, adding another—much faster—channel to our support offerings.

We took a look at WordPress.com VIP, and we noted that while your developers and business people know where to reach our team and ask for help, it’s not quite as obvious to the users who are creating and curating content for your sites.

So, starting next Tuesday, we will begin offering live chat support to all users with access to VIP site dashboards. Your users will see this box in the lower-right corner of your site dashboards:

Screen Shot 2014-06-23 at 8.45.45 AM

Clicking on that box will expand a text area where they can enter a question:

Screen Shot 2014-06-23 at 8.45.55 AM

We’ll be standing by to assist your authors and editors and get back to them right away to assist them with their WordPress.com questions as quickly and efficiently as possible.

The WordPress.com VIP team is super-excited to bring this feature to your editorial teams. Live chat support will help them get their work done more efficiently, and free up your developers to focus on more non-support projects!

If you have questions about this feature, we invite you to contact us at support@vip.wordpress.com at any time either prior to the launch of the feature or once it’s up and running. We’ll be happy to discuss it with you and let you know more!